Set Up a Basic Iptables Firewall on Amazon Linux AMI

How do I set up a basic iptables firewall on Amazon Linux AMI running on EC2 or Lightsail instance?

AWS (Amazon Web Services) has its own Linux distribution called Amazon Linux AMI. It is chiefly binary compatible with CentOS Linux, with all necessary packages updated to the latest version. This page explains how to set up a basic iptables based firewall on Amazon Linux.

How To Set Up a Basic Iptables Firewall on Amazon Linux AMI

The procedure for setting up a basic firewall on Amazon Linux AMI is as follows:

  1. Login to your Lightsail/EC2 instance using ssh command.
  2. Switch to the root user by typing sudo -i command.
  3. Create a file named /etc/sysconfig/iptables
  4. Open or close ports and other options as per your needs
  5. Enable the iptables at boot time, execute: sudo chkconfig iptables on
  6. Start the iptables service, run: sudo service iptables start

Do I genuinely need iptables based firewall settings for EC2 and Lightsail instance powered by Amazon Linux AMI?

The short answer is it depends upon your needs.

Long answer: Both EC2 and Lightsail VM come with a cloud-based firewall. When you create an AWS Lightsail instance/VM, some network ports are open by default. When a port is open, your instance can accept public network connections. For example, you can either open port 22 or close port 22, but you can not specify the source IP address to control access ssh port 22 or any other ports. However, the EC2 firewall allows us to set up a source or destination for the traffic. Here is a sample from Lightsail instance firewall settings:

You can change the network port settings for your Lightsail instance on the Networking tab of your instance management page.

As you can see, the firewall is minimal and does not provide an option to set up the source or destination IP address for Lightsail instances. Therefore, setting up a basic iptables is a good idea on Amazon Linux AMI.

Sample /etc/sysconfig/iptables

Type the following command:
sudo vi /etc/sysconfig/iptables
Append the following:

# Deny all inbound traffic
# Accept all outbound traffic
# Accept already connected sessions
# Accept all loopback 
-A INPUT -i lo -j ACCEPT
# Open https/http port from anywhere
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
# Accept ssh port from anywhere
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Accept ssh port from only your static IP address such as
-A INPUT -m state --state NEW -m tcp -p tcp -s --dport 22 -j ACCEPT
# Multiple IPs are also allowed 
-A INPUT -m state --state NEW -m tcp -p tcp -s, --dport 22 -j ACCEPT
# Deny from specific IP address 
#-A INPUT -m state --state NEW -s -j DROP

Enable iptables service

Run the following chkconfig command:
sudo chkconfig iptables on

Start iptables service

Execute the following service command to start iptables service on Amazon Linux AMI:
sudo service iptables start

List iptables rules on Amazon Linux AMI

sudo iptables -S
sudo iptables --list
sudo iptables -L
sudo iptables -L -n -v
sudo iptables -L -n -v --line-numbers
sudo iptables -S TABLE_NAME
sudo iptables --table NameHere --list
sudo iptables -t NameHere -L -n -v --line-numbers

A note about IPv6 firewall for Amazon Linux AMI

Please note that we learned about IPv4 security. In Amazon Linux AMI, IPv6 security is maintained separately from IPv4 using a file named /etc/sysconfig/ip6tables:
sudo vi /etc/sysconfig/ip6tables
Append the following config:

# Set default chain policies
# Accepts ongoing traffic for any existing connections
# Accept all ICMP packets
-A INPUT -p ipv6-icmp -j ACCEPT
# Accept all traffic from/to loopback interface
-A INPUT -i lo -j ACCEPT
# Accept DHCPv6 traffic
-A INPUT -d fe80::/64 -p udp -m udp --dport 546 -m state --state NEW -j ACCEPT
# Custom rules go here
# Open port 80, 443 and 22 for IPv6
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# Drop everything else 
# We reject all traffic that didn't match a rule, using "port unreachable"
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited

Save and close the file in vim. Turn on ip6tables service and start it:
sudo chkconfig ip6tables on
sudo service ip6tables start

List rules:
sudo ip6tables -L -n -v --line-numbers
sudo ip6tables -L -n -v
sudo ip6tables -S


This page explained how to set up a basic IPv4 and IPv6 iptables firewall for Amazon Linux AMI. Even though Amazon offers a cloud-based firewall, it is a good idea to set up a default firewall to avoid accidental exposure of ports and services to the Internet. Of course, this is not a complete tutorial as we only covered basic stuff. Please see the following links for more info:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 0 comments... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
0 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum